Since v0.13, Paramiko runner is the default SSH runner in BWC. Most of this
documentation assumes you are using paramiko runner. Wherever behavior is different from
fabric runner, it will be called out.

BWC remote actions use the system_user and ssh_key_file in configuration file (
usually /etc/st2/st2.conf) as authentication credentials to remote boxes. This is to lock
down so all remote actions are run as defined user (default is stanley). The ``
ssh_key_file`` is private key file (RSA/DSA) for system_user. You can change the
username and key file by setting appropriate values in the config file. In case of key
compromises, revoking public key for system_user from target boxes will revoke access
for BWC from target boxes. We also recommend adding system_user to a linux group and
control permissions on target boxes as an additional security measure.

Note

If you are changing system_user or ssh_key_file configuration values in BWC
configuration file (usually /etc/st2/st2.conf), you must restart BWC to pick up the
changes. You can just restart st2actionrunner component (E.g. service st2actionrunner restart).

To validate remote actions are working correctly, you can use the following command.

All automations (rules that kickoff remote actions or scripts) by default will use this
username and private_key combination.

If you are not using default SSH port 22, you can specify port as part of host string in hosts
list like hosts=localhost:55,st2build001:56. As of BWC version 2.1, you can also specify
custom ports via SSH config file. To use SSH config file, setup /home/stanley/.ssh/config for
user stanley on BWC action runner boxes appropriately and add
following configuration lines in /etc/st2/st2.conf.

We do not recommend running automations as arbitrary user + private_key combination. This
would require you to setup private_key for the users on BWC action runner boxes and
the public keys of the users in target boxes. This increases the surface area for risk and
is highly discouraged.

Said that, if you have st2client installed and want to run one off commands on remote
boxes as a different user, we have a way.

For the above example to work, key file /home/stanley/ssh_keys/.ssh/id_rsa has to be available
on action runner boxes. We also support password as a parameter. As of version 2.1, you
can also specify custom keys for hosts via SSH config file. A sample SSH config is shown below:

If you are running remote actions as sudo, pseudo tty is enabled by default. This means
that stdout and stderr streams get combined into one and reported as stdout. This
is true for both fabric and paramiko ssh runner.

When using a bastion host for running remote actions, the bastion host must have AllowTcpForwarding
enabled. Additionally, the connection to the bastion host is made using the parameters provided for
the connection being tunneled, so the bastion host will require the user to exist with the same
name/password/private_key as the targeted remote box.